在控制节点
在你配置 OpenStack 身份认证服务前,你必须创建一个数据库和管理员令牌。
完成下面的步骤以创建数据库:
用数据库连接客户端以 root 用户连接到数据库服务器:
$ mysql -u root -p
创建 keystone 数据库:
CREATE DATABASE keystone;
对keystone
数据库授予恰当的权限:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
[root@controller ~]# mysql -u root -p
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.3.20-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.009 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
-> IDENTIFIED BY 'zmd_9001';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
-> IDENTIFIED BY 'zmd_9001';
Query OK, 0 rows affected (0.001 sec)
# yum -y install openstack-keystone httpd mod_wsgi
提前要关闭selinux和firewalld,否则后面有的服务没有相应
在 [database] 部分,配置数据库访问:
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
将KEYSTONE_DBPASS
替换为你为数据库选择的密码。
在[token]
部分,配置Fernet UUID令牌的提供者。
[token]
# ...
provider = fernet
# su -s /bin/sh -c "keystone-manage db_sync" keystone
注解
忽略输出中任何不推荐使用的信息。
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
编辑/etc/httpd/conf/httpd.conf
文件,配置ServerName
选项为控制节点:
ServerName controller
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
启动 Apache HTTP 服务并配置其随系统启动:
systemctl enable httpd.service
systemctl start httpd.service
报错
[root@controller ~]# journalctl -xe
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
3月 31 15:45:55 controller httpd[1692]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:5000
3月 31 15:45:55 controller httpd[1692]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:5000
3月 31 15:45:55 controller httpd[1692]: no listening sockets available, shutting down
3月 31 15:45:55 controller httpd[1692]: AH00015: Unable to open logs
3月 31 15:45:55 controller systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
3月 31 15:45:55 controller systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
selinux限制了端口,关闭selinux或其他方法。
Configure the administrative account by setting the proper environmental variables:
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:5000/v3
$ export OS_IDENTITY_API_VERSION=3
The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects, users, and roles.
认证服务为openstack服务提供认证服务,认证服务使用了域,项目,用户和角色的组合。
Although the “default” domain already exists from the keystone-manage bootstrap step in this guide, a formal way to create a new domain would be:
$ openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 2f4f80574fd84fe6ba9067228ae0a50c |
| name | example |
| tags | [] |
+-------------+----------------------------------+
报错
[root@controller ~]# openstack domain create --description "An Example Domain" example
Missing value auth-url required for auth plugin password
因为重启了系统,没有保存环境变量。
重新执行下上面的环境变量设置。
[root@controller ~]# openstack domain create --description "An Example Domain" example
Missing value auth-url required for auth plugin password
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller ~]# export OS_USERNAME=admin
[root@controller ~]# export OS_PASSWORD=****
[root@controller ~]# export OS_PROJECT_NAME=admin
[root@controller ~]# export OS_USER_DOMAIN_NAME=Default
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
[root@controller ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | cb1f7e9a4809438cb4a0f968760307f0 |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
This guide uses a service project that contains a unique user for each service that you add to your environment. Create the service project:
$ openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
执行结果
[root@controller ~]# export OS_USERNAME=admin
[root@controller ~]# export OS_PASSWORD=zmd_9001
[root@controller ~]# export OS_PROJECT_NAME=admin
[root@controller ~]# export OS_USER_DOMAIN_NAME=Default
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
[root@controller ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | cfd7929faa4d456ba0633f4934ed0106 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the myproject project and myuser user.
$ openstack project create --domain default \
--description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain | False |
| name | myproject |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
结果
[root@controller ~]# openstack project create --domain default \
> --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | d33724f9baf9444e9622d102d9541826 |
| is_domain | False |
| name | myproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
$ openstack user create --domain default \
--password-prompt myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | aeda23aa78f44e859900e22c24817832 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
结果
[root@controller ~]# openstack user create --domain default \
> --password-prompt myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 62623ccda6ce4e4c82b10cd51521aad8 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@controller ~]#
$ openstack role create myrole
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | myrole |
+-----------+----------------------------------+
结果
[root@controller ~]# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | dea0722037a346b9a5dc790e39b0d017 |
| name | myrole |
| options | {} |
+-------------+----------------------------------+
$ openstack role add --project myproject --user myuser myrole
这个没有显示
在控制节点操作
查询下刚刚建立的元素
[root@controller ~]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+--------------------+
| cb1f7e9a4809438cb4a0f968760307f0 | example | True | An Example Domain |
| default | Default | True | The default domain |
+----------------------------------+---------+---------+--------------------+
[root@controller ~]# openstack role list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 0d6def14a0df408f8834bd82065856a5 | member |
| 5feb9c7b483b46cf897af25ba7d8fa5a | reader |
| db335b47ae26492e9da33881087e80c6 | admin |
| dea0722037a346b9a5dc790e39b0d017 | myrole |
+----------------------------------+--------+
[root@controller ~]# openstack user list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| a6a881a6089843b9999b2a0a7397c5d7 | admin |
| 62623ccda6ce4e4c82b10cd51521aad8 | myuser |
+----------------------------------+--------+
[root@controller ~]# openstack project list
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| cfd7929faa4d456ba0633f4934ed0106 | service |
| d33724f9baf9444e9622d102d9541826 | myproject |
| faf1dd393fae450b8afc29ebc9d9b6d1 | admin |
+----------------------------------+-----------+
$ unset OS_AUTH_URL OS_PASSWORD
As the admin user, request an authentication token:
创建token
作为 admin 用户,请求认证令牌:
$ openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
结果
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name admin --os-username admin token issue
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-04-01T01:32:29+0000 |
| id | gAAAAABiRkgdBWiaVeJI1DK2y6qn_MMoSXFrDuXg4eMxm6Dm7ip3MeaLuQGmXU69MZX3yW-0H8QzUvCNQJykAes0dD_2KQvkeKS9LSWacXEer-JJXw4rXj4riEnnjUYVdHIygcuwm4Yz_RPPaLHVgl23NpGomVEmGUqQDRkeKyWTsk_vSJG0XYU |
| project_id | faf1dd393fae450b8afc29ebc9d9b6d1 |
| user_id | a6a881a6089843b9999b2a0a7397c5d7 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
作为myuser
用户,请求认证令牌:
$ openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:15:39.014479Z |
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
| project_id | ed0b60bf607743088218b0a533d5943f |
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
+------------+-----------------------------------------------------------------+
结果
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name myproject --os-username myuser token issue
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-04-01T01:40:47+0000 |
| id | gAAAAABiRkoPRFjUYIYNYAvfIiisvt-Xefaf3pa6rGcFBsUAic83cz2rwRvsp1LRvYu-sCB4VgpPs5OXtnj9oBrFiinRcJ56_lIfBFJPRtHu5wxxx3kCrE8VlriDHgakxDKvC731s9jLoubX_KU55PUirZ2YHNMx-O79O-58FmkgP1BMJRMAoNg |
| project_id | d33724f9baf9444e9622d102d9541826 |
| user_id | 62623ccda6ce4e4c82b10cd51521aad8 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
前一节中使用环境变量和命令选项的组合通过openstack
客户端与身份认证服务交互。为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件。这些脚本通常包含客户端所有常见的选项,当然也支持独特的选项
创建 admin 和 demo
项目和用户创建客户端环境变量脚本。本指南的接下来的部分会引用这些脚本,为客户端操作加载合适的的凭证
这个脚本可以放在任何一个安全和方便拿到的位置。
编辑文件 admin-openrc 并添加如下内容:
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
Replace ADMIN_PASS with the password you chose for the admin user in the Identity service.
Create and edit the demo-openrc file and add the following content:
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
Replace DEMO_PASS with the password you chose for the demo user in the Identity service.
使用特定租户和用户运行客户端,你可以在运行之前简单地加载相关客户端脚本。例如:
admin-openrc
文件来身份认证服务的环境变量位置和admin
项目和用户证书:$ . admin-openrc
$ openstack token issue
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:44:35.659723Z |
| id | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
| | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
| | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
结果
[root@controller ~]# . admin-openrc
[root@controller ~]# openstack token issue
+------------+----------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------+
| Field | Value |
+------------+----------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------+
| expires | 2022-04-01T02:10:47+0000 |
| id | gAAAAABiRlEXe5-Tt9lKrrqOxMKBsj2m3vptBTO_nMIum7FxZ1BbK0wgNYJ-cg2bHKWJMzqiNjkBduvxECFvbRB2QM6oQsdgzr1p49wRMM7DxrqTE_iQin C9i2fQAbtzsA3Wdnt32_y-3yGtuKOWWBDGJPbQU12RJlmqv1roLApFyBFVOydW_i4 |
| project_id | faf1dd393fae450b8afc29ebc9d9b6d1 |
| user_id | a6a881a6089843b9999b2a0a7397c5d7 |
+------------+----------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------+
每请求一次获得一个不同的token